Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site to site VPN tunnel initiating problem

We are trying to bring up a site to site VPN. But the problem is that it only comes up when i initiate a ping from my end.

My firewall is ASA5540 Software Version is 7.2(3) while the other one is running Cisco ASA5520, software version is 7.2(4)9. Help could be the problem.

3 REPLIES
Hall of Fame Super Silver

Re: site to site VPN tunnel initiating problem

Winnie

Probably the most common reasons why a VPN only initiates from one side are:

- one side has a fixed IP address while the other side has a dynamic IP address.

- there is a mismatch between the sides about what constitutes interesting traffic for the VPN.

Do either of these situations apply to you?

HTH

Rick

Re: site to site VPN tunnel initiating problem

Hi Rick,

As per my experience, if the interesting traffic is not defined symmetrical (mismatch), the IPSec negotiation fails.

So I don't think this is a problem, because the IPSec VPN comes up for him.

The static/dynamic address pair is a much more likely cause as you mentioned it.

Winnie,

I don't quite get if your problem is that the VPN comes up from one side only, or the problem is that it comes up only after pinging?

Did you try to send interesting traffic before tryings pings?

Thanks:

Istvan

Hall of Fame Super Blue

Re: site to site VPN tunnel initiating problem

Just to add to the others good suggestions. One possible reason is that one end of the connection has an access-list applied to the interface where the interesting traffic comes from.

Hence if one side initiates the connection and traffic flows from one side to other it works fine because the return traffic is not subject to the access-list as it is stateful traffic. However traffic may be stopped from being initiated on the other side because of the access-list.

Jon

186
Views
0
Helpful
3
Replies